From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: FTP-server on non-standard port behind DNAT, client behind SNAT
Date: Tue, 11 Nov 2008 16:16:20 +0100 [thread overview]
Message-ID: <4919A1C4.6080207@plouf.fr.eu.org> (raw)
In-Reply-To: <1226405797.16116.19.camel@casper.meteor.dp.ua>
Hello,
Pokotilenko Kostik a écrit :
> I have proftpd-server with virtual hosts running on 21 and 3421 ports.
> Both are masquerading to the public IP of a gateway/nat.
>
> Gateway/nat running:
> ip_conntrack_ftp ports=21,3421
> ip_nat_ftp ports=21,3421
>
> Using a client behind the SNAT I can connect to 21 and get directory
> listing in passive mode, can connect to 3421 but CAN'T get directory
> listing in passive mode.
>
> Seems like ip_conntrack_ftp/ip_nat_ftp doesn't spy 3421 port. What can
> be wrong? How to debug?
>
> Directory listing on 21 goes well:
>
> ftp> pass
> Passive mode on.
> ftp> ls
> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,236,99).
> 150 Opening ASCII mode data connection for file list
> [directory listings]
> 226 Transfer complete.
> ftp>
>
> When trying to get directory listing on 3421 I get:
>
> ftp> pas
> Passive mode on.
> ftp> ls
> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,157,8).
> ftp: connect: Connection refused
> ftp>
>
> where xxx,xxx,xxx,xxx: public IP of gateway/nat of a FTP server.
AFAIK, the public address in the reply to the PASV command means that
ip_conntrack_ftp and ip_nat_ftp monitors the control connection on port
3421 too, unless the server itself advertised the public address. Could
it be the client-side SNAT which rejects the data connection ?
next prev parent reply other threads:[~2008-11-11 15:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-11 12:16 FTP-server on non-standard port behind DNAT, client behind SNAT Покотиленко Костик
2008-11-11 15:16 ` Pascal Hambourg [this message]
2008-11-11 15:54 ` Покотиленко Костик
2008-11-11 19:15 ` Pascal Hambourg
2008-11-12 9:09 ` Покотиленко Костик
2008-11-12 11:03 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4919A1C4.6080207@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.